ltp
ltp copied to clipboard
linux-test-project
ioctl_sg01 testing failure on a specific usb storage
$ ./ioctl_sg01
tst_test.c:1733: TINFO: LTP version: 20240524
tst_test.c:1617: TINFO: Timeout per run is 1h 00m 30s
ioctl_sg01.c:83: TINFO: Found SCSI device /dev/sg0
ioctl_sg01.c:123: TFAIL: Kernel memory leaked
HINT: You _MAY_ be missing kernel fixes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a45b599ad808
HINT: You _MAY_ be vulnerable to CVE(s):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000204
Summary:
passed 0
failed 1
broken 0
skipped 0
warnings 0
$ sudo sginfo -A /dev/sg0
INQUIRY response (cmd: 0x12)
----------------------------
Device Type 0
Vendor: USB
Product: SanDisk 3.2Gen1
Revision level: 1.00
after investigating further, it seems that the device returns some structured data back after each consecutive ioctl tests:
| iteration | buffer[0] | buffer[1] | buffer[2] | buffer[3] | buffer[4] | buffer[5] | buffer[6] | buffer[7] | ... |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 0x55(U) | 0x53(S) | 0x42(B) | 0x53(S) | 0x21(!) | 0x39(9) | 0x1() | 0x8() | 0x0 |
| 2 | 0x55(U) | 0x53(S) | 0x42(B) | 0x53(S) | 0x22(") | 0x39(9) | 0x1() | 0x8() | 0x0 |
| 3 | 0x55(U) | 0x53(S) | 0x42(B) | 0x53(S) | 0x23(#) | 0x39(9) | 0x1() | 0x8() | 0x0 |
| 4 | 0x55(U) | 0x53(S) | 0x42(B) | 0x53(S) | 0x24($) | 0x39(9) | 0x1() | 0x8) | 0x0 |
| 5 | 0x55(U) | 0x53(S) | 0x42(B) | 0x53(S) | 0x25(%) | 0x39(9) | 0x1() | 0x8() | 0x0 |
| ... |
looking into ioctl_sg01.c, i think i could assume the test scsi command is TEST UNIT READY since all the fields are initialized to zero. for this command, i did not find what the return buffer should be in the spec.
so i'm wondering if TEST UNIT READY is an appropriate command for this test case or it's a special usb storage? any thoughts? thanks.
TEST UNIT READY command should not write anything into the ioctl query buffer. If this device driver does, it's buggy and possibly vulnerable to the CVE mentioned in the test output.
